SAINT_GOBAIN_REGISTRATION_DOCUMENT_2017

Risks and control Internal control

Industrial and distribution risk 2.4.6 prevention manual The Group’s policy for prevention of property damage and the resulting operating losses, compiled as part of an internal collection of standards and best practices, is defined by the Risk and Insurance Department (DRA). The DRA coordinates policy implementation through the Sectors and Activities with the support of the General Delegations. Within the Sectors and Activities, Prevention Coordinators manage the application of Group policy within the scope of their activities. At the site level, those in charge of Prevention Management perform an annual self-assessment of risks at their sites via a risk rating software package. This tool assesses risks as well as the corresponding levels of protection and prevention. This self-assessment is updated annually by the industrial sites, the Research and Development Centers and logistical sites. A special assessment is carried out for the points of sale. Furthermore, regular inspections of the Group’s most important sites are carried out by prevention engineers, who are auditors external to the Group (approximately 450 inspections per year). The sites update their action plans with a view to improving their level of prevention and protection based on recommendations prepared by these prevention engineers. Tools of the Group’s culture of 2.4.7 compliance The culture of compliance that drives the Group has developed through its values, which are formally stated in the Principles of Conduct and Action. The compliance program currently focuses on the following main themes: compliance with rules relating to competition law, preventing corruption, and compliance with economic sanctions and embargos. The tools used in implementing the program include: a dedicated intranet, entitled Conform’Action, on which „ key messages are posted and tools made available; online training modules such as Comply (competition law), „ ACT (preventing corruption) and Saint-Gobain Economic Sanctions and Embargos (rules relating to economic sanctions and embargos); in-person training; „ distribution of practical and technical guides: „ the Thread of Competition, „ 20 best practices in competition law for purchasers, „ the Thread of Anti-Corruption; „ the dissemination and implementation of internal policies „ such as: anti-corruption policy, „ gifts and invitations policy, „

The Information Systems Department has defined and rolled out: a tool (RMT, Rights Management Tool) for controlling SAP „ user rights and managing conflicting segregations of duties. This tool will be gradually integrated into all the Group’s SAP systems; a technical standard to manage technical and business „ accounts that access to applications (ATA/ABA, Application Technical Accounts/Application Business Accounts); a Web Application Secured Development (3.2) standard „ (WASD); a technical standard to Secure the Hosting of Internet „ Applications (SHIA); a technical standard for SaaS systems which defines „ responsibilities and security measures for implementation; a set of security rules to annually monitor the security of „ the central and regional datacenters (Datacenter Security Rules 4 SG, the new version of the 55 Datacenter Rules); a technical standard for the security of applications hosted „ by Saint-Gobain partners for publication on the internet. Moreover, the ITAC reference guide was published in 2012 as an addition to the Internal Control Reference Framework. It describes the automated and semi-automated controls used for five key processes: Purchasing, Sales, Inventory, Cash Management and Accounting. It covers the Group’s main ERP software and includes: a reference guide for SAP: ITAC4SAP with 143 control „ points; a reference guide for MOVEX M3: ITAC4M3 with „ 96 control points; a reference guide for EXACT: ITAC4EXACT with „ 85 control points. The ITAC4SAP reference guide was updated for consistency with the update to the Internal Control Reference Framework (143 control points, including the controls for the separation of tasks). The controls are being gradually integrated into the Group’s information systems as follows: ITAC100 ITAC4SAP for SAP systems (deployed in 22 SAP „ systems covering 121 Group companies), including specific updates for the Building Distribution Sector; ITAC96 ITAC4M3 for MOVEX M3 systems (deployed in 4 „ M3 systems covering 17 Group companies); ITAC85 ITAC4EXACT for EXACT systems (deployed in 1 „ EXACT system covering 2 Group companies); ITAC principles deployed in 1 MS Dynamics system „ covering 1 Group company.

7

199 SAINT-GOBAIN - REGISTRATION DOCUMENT 2017